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Abstract 

We present a new protocol and two lower bounds for quantum coin 
flipping. In our protocol, no dishonest party can achieve one outcome 
with probability more than 0.75. Then, we show that our protocol is 
optimal for a certain type of quantum protocols. 

For arbitrary quantum protocols, we show that if a protocol achieves 
a bias of at most e, it must use at least (log log - ) rounds of commu- 
nication. This implies that the parallel repetition fails for quantum coin 
flipping. (The bias of a protocol cannot be arbitrarily decreased by run- 
ning several copies of it in parallel.) 



1 Introduction 

In many cryptographic protocols, there is a need for random bits that are com- 
mon to both parties. However, if one of parties is allowed to generate these 
random bits, this party may have a chance to influence the outcome of the pro- 
tocol by appropriately picking the random bits. This problem can be solved by 
using a cryptographic primitive called coin flipping. 

Definition 1 A coin flipping protocol with e bias is one where Alice and Bob 
communicate and finally decide on a value c G {0, 1} such that 

• // both Alice and Bob are honest, then Prob(c = 0) = Prob(c = 1) = 1/2. 

• // one of them is honest (follow the protocol), then, for any strategy of the 
dishonest player, Prob{c — 0) < 1/2 + e, Prob{c — 1) < 1/2 + e. 
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Classically, coin flipping was introduced by Blum|^. Classical coin flipping 
protocols are based on computational assumptions such as one-way functions. 

However, classical one-way functions may not be hard against quantum ad- 
versaries. (For example, factoring and discrete log are not hard in the quantum 
case [29 .) Finding a good candidate for a one-way function secure against quan- 
tum adversaries is an important open problem. 

On the other hand, the unique properties of quantum mechanics allow the 
implementation of certain cryptographic tasks without any computational as- 
sumptions. (The security proof is based only on the validity of quantum mechan- 
ics.) The most famous example is the quantum key distribution |Q, |[ |4[ |30| . 
The question is: can we replace the computational assumptions of the classical 
case by information-theoretic security in the quantum case for the coin flipping? 

For bit commitment (a related cryptographic primitive), this is impossible [pO|, 

p3|p]. The ideas of this impossibility proof can be used to show that there is 
no quantum protocol for perfect quantum coin flipping (quantum coin flipping 
with bias 0) |2^, However, this still leaves the possibility that there might 
be quantum protocols with an arbitrarily small bias e > 0. 

The first positive result was by Aharonov et.al.||^ who gave a protocol for 
quantum coin flipping in which a dishonest party cannot force a given outcome 
with probability more than 0.9143... 

There has been some effort to construct more complicated protocols which 
would achieve arbitrarily small e > 0. At least two protocols have been proposed: 
by Mayers et.al.|^ and by Zhang et.al.|Q. None of them had provable security 
guarantees but both were conjectured to achieve an arbitrarily small e > for 
an appropriate choice of parameters. Both of them were eventually broken: the 
protocol of |25(] was broken by |l8[ ||0 and the protocol of || IS insecure 
because of our Theorem ^. 

In this paper, we give a simple protocol in which a dishonest party cannot 
achieve one outcome with probability more than 0.75. 

Then, we show that our protocol is optimum in a certain class of protocols 
that includes our protocol, the protocol of [|| and other similar protocols. 

Our third result (Theorem ||) shows that, if there is a protocol with an 
arbitrarily small bias e > 0, it must use a non-constant number of rounds of 
communication (not just communicate many qubits in a constant number of 
rounds). Namely, a coin flipping algorithm with a bias e needs to have at least 
f2(log log i) rounds. In particular, this means that the parallel repetition fails for 
quantum coin flipping. (One cannot decrease the bias arbitrarily by repeating 
the protocol in parallel many times.) 

Related work. We have recently learned that two of results in this paper 
(the 0.75 protocol and the matching lower bound for a class of protocols) have 
been independently discovered by Spekkens and Rudolph [Q. Also, Kitaev [ pTf 

^It is possible, however, to have quantum protocols for bit commitment under quantum 
complexity assumptions (existence of quantum 1-way functions). See Dumais et.al.Q and 
Crepeau et.al.la] 

^The paper |33] claims to break any protocol for coin fli ppi ng but this claim is incorrect. 
It does break a class of protocols which includes the one of |25[ , though. 
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has very recently shown that, in any protocol, at least one party can achieve 
one outcome with probability at least l/\/2 = 0.71.... Thus, our 0.75 protocol 
is close to being optimal. 

Curiously, Kitaev's lower bound does not apply to a weaker version of coin 
flipping. In weak coin flipping, it is known in advance that Alice wants to 
bias the coin to and Bob wants to bias it to 1. Then, it is enough to give 
guarantees about Pr[c = 0] if Bob is honest but Alice cheats and Pr[c = 1] 
if Alice is honest but Bob cheats. Protocols for weak coin flipping have been 
studied by Goldenberg Spekkens and Rudolph |^ and Ambainis|Q. The 
best protocol |^ achieves a maximum bias of 1/ \/2. We note best lower bound 
for weak coin flipping is Theorem ^ of this paper. 

The role of rounds in quantum communication has been studied in a different 
context (quantum communication complexity of pointer jumping) by Klauck et. 
al. pd. There is a popular survey of quantum cryptography by Gottesman and 



2 Preliminaries 

2.1 Quantum states 

We briefly introduce the notions used in this paper. For more detailed explana- 
tions and examples, see | |2^ . 

Pure states: An n-dimensional pure quantum state is a vector \tp) e C" of 
norm 1. Let |0), |1), . . ., \n — 1) be an orthonormal basis for C". Then, 
any pure state can be expressed as = X]r=o^"«K) ^'^^ some oq G C, 
ai G (D, . . ., Qn-i & C Since the norm of is 1, |aip ~ 1. 

The simplest special case is n = 2. Then, the basis for C'^ consists of two 
vectors |0) and |1) and any pure state is of form a|0) + 6|1), a S C, 5 € C, 
|ap + |6p = 1. Such quantum system is called a quantum bit (qubit). 

We often look at j?/)) as a column vector consisting of coefficients a;. Then, 
we use ("01 to denote the conjugate transpose of (■01 is a row vector 
consisting of a* (complex conjugates of a^). In this notation, ("010) denotes 
the inner product of ■0 and 0. (If \^p) = X)^*!*)' 1*?^) — X^^^IOj then 
(010) = Wi't'l denotes the outer product of -0 and (an nx n 

matrix with entries aib*). 

Mixed states: A mixed state is a classical probability distribution {pi, 

< Pi < 1, 'YliiPi — 1 over pure states |'0i)- The quantum system de- 
scribed by a mixed state is in the pure state \'ipi) with probability pi. 

A mixed state can be also described by its density matrix p = Pi I ^j) (V'i I • 
It can be shown that any density matrix has trace 1. [A trace of a matrix 
is the sum of its diagonal entries.) 

A quantum system can undergo two basic operations: a unitary evolution 
and a measurement. 
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Unitary evolution : A unitary transformation C/ is a linear transformation on 
C'' that preserves the I2 norm (i.e., maps vectors of unit norm to vectors 
of unit norm). 

If, before applying U, the system was in a pure state jV'), then the state 
after the transformation is U\ip). 

If, before U, the system was in a mixed state with a density matrix p, the 
state after the transformation is the mixed state with the density matrix 
UpW. 

Projective measurements ; An observable is a decomposition of C'" into 
orthogonal subspaces Hi , . . . , Hi: = Hi (B H2 (B ■ ■ ■ (B Hi. A measure- 
ment of a pure state \tp) with respect to this observable gives the result 
i with probability ||Pi 1-0)11^ where Pi\ip) denotes the projection of {ip) to 
the subspace Hi- After the measurement, the state of the system becomes 

A more general class of measurements are POVM measurements (see p^). 
In most of this paper, it will be sufficient to consider projective measure- 
ments. 



2.2 Bipartite states 

Bipartite states: In the analysis of quantum coin flipping protocols, we often 
have a quantum state part of which is held by Alice and the other part 
by Bob. For example, wc can have the EPR state (the state of two qubits 
-i=|0)|0) + with the first qubit held by Alice and the second 

qubit held by Bob. Such states are called bipartite states. 

Tracing out: If Alice measures her part, Bob's part becomes a mixed state. 
For example, if Alice measures the first qubit of the EPR state in the basis 
consisting of |0) and Bob's state becomes |0) with probability 1/2 and 
|1) with probability 1/2. Let p be the density matrix of the mixed state 
that Bob gets if Alice measures her part of a bipartite state Then, 
we say that p is obtained by tracing out the Alice's part of 1-0). 

There are many different ways how Alice can measure (trace out) her part. 
However, they all give the same density matrix p for Bob's part. 

Purification: Let p be a mixed state. Then, any pure state of a larger sys- 
tem that gives p if a part of the system is traced out is called a purification 
of p. 



2.3 Distance measures between quantum states 

We use two measures of distance between quantum states (represented by den- 
sity matrices): trace distance and fidelity. For more information on these (and 
other) measures of distance between density matrices, see p^, p^. 
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Trace distance: Let p ~ (pi, . . . and q = {qi, . . . , qk) be two classical 
probability distributions. Then, the variational distance between p and q 



The variational distance characterizes how well one can distinguish the 
distributions p and q. 

In the quantum case, the counterpart of a probability distribution is a 
mixed state. The counterpart of the variational distance is the trace dis- 
tance. It is defined as follows. 

The trace norm of a matrix A is the trace of \A\ where \A\ = vATA is 
the positive square root of A^ A. We denote the trace norm of A by \\A\\t. 
The following lemma relates the trace norm of pi — p2 (which we also call 
trace distance between pi and P2) with the variational distance between 
distributions obtained by measuring pi and p2- 

Lemma 1 ^ Let p^^^, be the probability distributions generated by 
applying a measurement M to mixed states pi and pi- Then, for any 
(projective or POVM) measurements, \p^[—p^i\ < ||pi— P2||t and there 
exists a measurements that achieves the variational distance ||pi — P2||i- 

We can always choose the measurement M that achieves the variational 
distance \\pi — P2\\t so that is a projective measurement and it has just 
two outcomes: and 1. 

Fidelity: Let and \'4'2) be two bipartite states. Let pi and p2 be the mixed 
states obtained from and \^2) by tracing out (measuring) Alice's part. 

Lemma 2 j pl| , If Pi — P2, then Alice can transform into IV'2) by 
a transformation on her part of the state. 

For example, consider the bipartite states 



with the first qubit held by Alice and the second qubit held by Bob. If 
Alice measures her qubit of \ipi), Bob is left with |0) with a probability 
1/2 and |1) with a probability 1/2. If Alice measures her qubit of |i/'2), 
Bob is left with ^(|0) + |1)) with a probability 1/2 and ^(|0) - |1)) with 
a probability 1/2. Both of those states have the same density matrix 



IS 



k 




i=l 



|V'i> = ^(|00) + |01)), 

IV'2)-^(|oo) + |oi) + |io)-|ii)), 



( 



1/2 
1/2 



) 
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By lemma ^ this means that Alice can transform \ipi) into \tp2)- Indeed, 
she can do that by applying the Hadamard transform H to her qubit. 

A generalization of lemma H is: if the two density matrices pi and p2 are 
close, then Alice can transform into a state 1-01) that is close to \ip2)- 

In this case, the distance between the two density matrices is measured 
by the fidelity F{pi,p2)- The fidelity is defined as 

Fipi,p2) ^ max \{'4,i\i>2)\\ 
\i>i),\i'2) 

over all choices of and \ip2) that give density matrices pi and p2 when 
a part of system is traced out. 

Lemma 3 J7^/ Let pi, p2 be two mixed states with support in a Hilbert 
space Ti., K, any Hilbert space of dimension at least dim(7i), and \<f)i) any 
purifications of pi m 7i(g)/C. Then, there is a local unitary transformation 
U on K that maps \4>2) to j^j) = I ® ^^102) such that 

\{M)\^^F{p,,p2). 



Lemma 4 JS^/ 




Relation between trace distance and fidelity: The trace distance and the 
fidelity are closely related. If pi and p2 are hard to distinguish for Bob, 
then Alice can transform j?/)!) into a state close to \'4)2) and vica versa. 
Quantitatively, this relation is given by 

Lemma 5 J7q/ For any two mixed states pi and p2, 



1 - \fF{pi7p2) < 2 IIpi - P2\\t < \/l - F{pi,p2). 
In particular, F{pi, P2) = if and only if \\pi — p2\\t = 2. 



3 A protocol with bias 0.25 

Protocol: Define 

-1=10) + -1=12) 



if 6 = 


0, X 


= 


if 6 = 


0, X 


= 1 


if 6 = 


1, X 


= 


if 6 = 


1. X 


= 1 
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1. Alice picks a uniformly random b G {0, 1} and x G {0, 1} and sends \(f>b,x) 
to Bob. 

2. Bob picks a uniformly random b' E {0, 1}, sends b' to Alice. 

3. Alice sends b and x to Bob, lie checks if the state that he received from 
Alice in the f** step is {(fib.x) (by measuring it in with respect to in a basis 
consisting of \4>b.x) and two vectors orthogonal to it)^ If the outcome of 
the measurement is not \4>b,x), be has caught Alice cheating and he stops 
the protocol. 

4. Otherwise, the result of the coin flip is 6 b' . 




Theorem 1 The bias of this protocol is 0.25. 

Proof: Wc bound the probability of dishonest Alice (or dishonest Bob) achiev- 
ing b ® b' = 0. The maximum probability of achieving 6 ® &' = 1 is the same 
because the protocol is symmetric. 

Case 1: Alice is honest, Bob cheats. If 6 = 0, Alice sends a mixed state that 
is equal to -^(|0) + |1)) with probability 1/2 and -^(|0) — |1)) with probability 

1/2. If 6 = 1, she sends a mixed state that is equal to -^(|0) + |2)) with 
probability 1/2 and "^(|0) — |2)) with probability 1/2. The density matrices of 
these two mixed states are 

i 
Po = I \ 1 pi 


and IIpo — = 1. By Theorem 3 of [H, the probability that Bob achieves 
b^b' IS at most \ + ksL^Mi. = |. 
Case 2: Bob honest, Alice cheats. 

Let p be the density matrix of the state sent by Alice in the T^' step. The 
first step of the proof is to "symmetrize" Alice's strategy so that it becomes 
easier to bound her success probability. 

Lemma 6 There is a strategy for dishonest Alice where the state sent by Alice 
in the 1^* round has the density matrix of the form 

\-5i 

<5i I (1) 



for some 5i and 82 and Alice achieves b = b' with the same probability. 




^For example, if fe = a; = 0, then Bob could measure in the basis |</>oo) = '^1'') ^~ '^2'^^^ 
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Proof: Let Uq = I, 
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Assume that Alice, before sending the state to Bob in the 1*^' round, apphes 
Ui to it and, then, in the 3'''^ round, replaces each description of \(f>b,x) by a 
description of Ui\(l)b,x)- Then, Ahce achieves the outcomes and 1 and gets 
caught with the same probabilities as before because 

(a) For all i e {0,1,2,3}, b e {0,1}, x G {0,1}, J7i|06,^) is either \<j>b^o) or 
\(t)b,i), and 

(b) For any \tp), the inner product between Ui\ip) and Ui\(j)b,x) is the same as 
the inner product between \ip) and \(f>b,x)- 

Probabilities of obtaining 0, 1 and getting caught also stay the same if Alice 
picks a uniformly random i € {0, 1, 2, 3} and then applies Ui to both the state 
sent in the 1*^' round and the description sent in the 3'''^ round. In this case, the 
density matrix of the state sent by Ahce in the 1*^* round is p' — j{UopUq + 
UipU\ + U2pUl + UspUl). For every j, k G {1, 2, 3}, j ^ fc, {U^pU\),^ is equal 
to pjfe for two i £ {0, 1, 2, 3} and to —pjk for the two other i. Therefore, p^j, = 
for all j ^ k, i.e. p' is of the form (^. □ 

Lemma 7 For "symmetrized" Alice 's strategy, the probability that Alice con- 
vinces Bob that b = is at most F(p',po). 

Proof: Let 

|V)-5]a,|z)|^.) (2) 

i 

be the purification of p' chosen by Alice if she want to convince Bob that 6 = 0. 
For every \tpi), Alice sends to Bob a description of a state j?/"^) which is one of 
I'/'m): {0,1}, a^e {0,1}. 

Alice is trying to convince Bob that 6 = 0. Therefore, we can assume 
that she always sends to Bob a description of |0o.o) or |0o,i)- (Replacing a 
description of \(t>i,x) by a description of |0o,2;) can only increase the probability 
of Bob accepting 6 = 0, although it may simultaneously increase the probability 
of Alice caught cheating.) 

We pair up each state \ipi) with the state = C/i|?Ai) and each state U2\'ipi) 
with Usltpi) = U2Ui\ilji). Our "symmetrization" guarantees that 

• if {ipi) and \ipj) are the two states in one pair, then Oi = Oj, 
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• if one of states in a pair has ji/'i) = li^co), the other has = C/i|?!'o,o) = 
|(/)o,i), and conversely, 

• (V'ilV'i) = (^il^j-) (because performing Ui maps l^/ii) and 1-0^-) to |0-) and 
Wj), respectively). 

Therefore, we can write the equation (||) as 

1^) = E«'' (^^N,0)|V.,o) + (3) 

with IV'j'^o) = I0o,o) and IV'-,!) = |0o,i)- 

The probability that Bob accepts \i^i^x) as \ip[ ^) is KV'i.i^l^i a;)^- The total 
probability of Bob accepting is 

E^i«^i'(i(^^oi^^o>p + i(V'MiV'a)n- (4) 

i 

Notice that, because of "symmetrization" , (V'i.olV'i' o) — {'4'i,iWii)- Therefore, 
if we define |^,) = ^|i,0)|V,,o> + and |^',) = -i=|i,0)|V^V + 

75K>1>IV'U)' "^'^ (v3j|</3^) = (?A»,o|V'lo> = (^^ilV-^.i)- This means that 
is equal to 

i 

Let Pi be a mixed state which is IV'i^o) with probability 1/2 and with 
probability 1/2. Then, p' = la^ppi. Since \ipi) and |</j^) are purifications of 
Pi and po, we have \{'Pi\^p'i)\^ < F{pi,po) and 

By concavity of fidelity |^ , 

\a^\''F{p,,po) < F{J2 \a^\''p^,Po) = F{p,po). 

i i 

□ 

Lemma 8 The probability that Alice achieves 6 © 6' = (or, equivalently, b ® 
b' = 1) is at most \{F {p' , pa) + F {p' , pi)) . 

Proof: With probability 1/2, Bob's bit is b' = 0. Then, to achieve b®b' = 0, 
Alice needs to convince him that 6 = 0. By Lemma 0, she succeeds with 
probabihty at most F{p',po). 

With probability 1/2, Bob's bit is b' = 1. Then, Alice needs to convince 
Bob that 6=1 and she can do that with probability F{p',pi). The overall 
probability that Alice succeeds is ^{F{p',po) + F{p' , pi)). □ 
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By Lemma 



Similarly, F{p',pi) = {^^l - S, - S2 + j^VS^)^ . Therefore, 



-(F(p',po) + F(p',Pi)) 

= ^(l-<5i-<52) + y + y + Vl-'^i-^alv^+V^)) . (5) 
Let d — ^i-i^. The convexity of the square root implies that \/6i + \fE^ < 



and (H) is at most 



Taking the derivative of this expression shows that it is maximized hy S — ^. 
Then, it is equal to 5(1 - ^ + |) = f • □ 



4 Lower bound for 3 rounds 

We show a lower bound for a class of 3 round protocols which includes the 
protocol of section || and the protocol of ||^ . This class is defined by fixing the 
structure of the protocol and varying the choice of states \4>b,x)- 

Let Xq and Xi be two sets and ttq and tti be probability distributions over 
Xq and Xi, respectively. Assume that, for every b e {0, 1} and x £ Xi, we have 
a state \4>b,x)- 

1. Alice picks a uniformly random b € {0,1}. Then, she picks x g Xh 
according to the distribution tt;, and sends \4>b.x) to Bob. 

2. Bob picks a random b' e {0, 1}, sends b' to Alice. 

3. Alice sends b and x to Bob. Bob checks if the state that he received in 
the T'' step is \4>b,x)- 

4. The result of the coin flip is 6 © 6'. 



Theorem 2 Any protocol of this type has a bias at least 0.25. 

Proof: Let po and pi be the density matrices sent by an honest Alice if 6 = 
and b — \, respectively. (These density matrices are mixtures of \4>b,x) over 

X e X,.) 
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Lemma 9 Bob can achieve with probability i + lli^e—Eilk 

Proof: By Lemma |l|, there is a measurement M that, apphed to po and pi, 
produces two probabihty distributions with the variational distance between 
them equal to ||po~Pi|| t and it can be chosen so that there are just two outcomes: 
and 1. 

Let Po and 1 — po be the probabilities of outcomes and 1 when the mea- 
surement M is apphed to po- For the variational distance to be ||po — the 
probabilities of outcomes and 1 when the measurement A4 is applied to pi 
have to be po - "^°7^"' and 1 - po + 

Bob applies the measurement A4 to the state that he receives from Alice 
and sends 6 = if the measurement gives and & = 1 if the measurement gives 
1. Since an honest Alice chooses a = with probability 1/2 and a = 1 with 
probability 1/2, Bob achieves a ^ b (and a ® 6 = 0) with probability 

1 ,1 A , IIpo - pi\\t\ 1 , IIpo - pillt 



2^ 2 V 2 J 2 

□ 

Lemma 10 Alice can achieve with probability 

1 v/f(po,pi) 

2 2 

Proof: First, we consider an honest Alice which does the protocol on a quantum 
level. That means that she flips a classical coin to determine a € {0, 1} and 
then prepares the superposition 



IV'a) = ^ \/'^a{i)\i)\(l)a,; 



and sends the second part of the superposition to Bob. After receiving b from 
Bob, she measures i and sends a and i to Bob. 

The pure states \iPq) and 1-01) are purifications of the density matrices po 
and pi. By Lemma |^, there is a unitary transformation U on the Alice's part 
of Vi such that |(V'o|C/(V'i))^ = F{po,pi). 

Let a be such that F{po,pi) — cos^a. Then, {■^po\U{^pl)) — cosa. This 
means that 

iV'o) = cosf |(po) +sinf 
Ulipi) = cosf l^o) - sinf 

for some states \(po), 

A dishonest Alice prepares \(po) and sends the 2"^^ part to Bob. If she receives 
b' — from Bob, she acts as an honest quantum Alice who has prepared \ipo) 
and sent the 2"^^ part to Bob. (That is, she measures her part \i) and sends 
and i to Bob.) Bob accepts 6 = with probability at least^ |(V'o|'/3o)P = cos^ ^• 

*For a formal proof of this, define H to be the space of all bipartite states \ip) such that 
Bob accepts with probability 1, if Alice acts in this way. Then, \tpo) G "H and, since the angle 
between \ipo) and \ipo) is ^, the squared projection of |(po) on H is at least cos^ ^, implying 
that Bob accepts with probability at least cos^ ^ if Alice starts with \<fio). 
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If she receives b' — 1, Ahce performs on her part of \(po) and continues 
as an honest quantum AUce who has prepared ji/'i) (measures \i) and sends to 
1 and i to Bob). Bob accepts 6=1 with probabihty 

In both cases, the probabihty of Bob accepting 6® 6' = is cos^ ^. Therefore, 
the overall probability of 6 ® 6' = is cos^ ^ as well and we have 

2 a _ 1 + cos a _ 1 + ^ F{po, pi) 

COS ~~" — ~ — ~ ■ 

2 2 2 

□ 

If F{po, pi) > J, then, by Lemma ^ Alice can achieve a bias of > 

4 ■ 

If F{po,pi) < J, then, by Lemma ^, Bob can achieve a bias of j\\po — Pi\\t 
and, by Lemma |^, 

□ 



5 Two standard forms for quantum protocols 

We use the following "standard form" for quantum protocols. 

Theorem 3 Jl^ // there is a protocol for quantum coin flipping with a bias at 
most e, there is also a protocol with bias at most e in which no party makes 
measurements until all communication is complete. 

The main idea of the proof of Theorem |^ is that all measurements can be 
delayed till the end of protocol. For more details, see Mayers |2^. This result 
has been very useful for proving the impossibility of quantum bit commitment 
[HI ^ and other cryptographic primitives. 

A different "standard form" has been pointed out to us by Kitaev [p^ . 

Theorem 4 JT^/ // there is a protocol for quantum coin flipping with a bias e, 
there is another protocol with bias e in which only the first message from Alice 
to Bob is quantum and all the other messages are classical. 

The proof idea is that Alice transmits a lot of EPR pairs in the first round 
and, after that, Alice and Bob can replace all quantum communication by clas- 
sical communication using teleportation. 

We do not use this result in our paper but we decided to mention it because it 
might be useful for other purposes. The protocols of the form of Theorem ^ have 
a fairly simple structure. In the first step Alice creates an entangled state with 
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Bob and then they both do operations on their qubits and communicate classical 
information. Because of this simple structure, they might be easier to analyze 
than general protocols. We note that this structure of a protocol somewhat 
resembles the well-known LOCC (local operations and classical communication) 
paradigm in the study of entanglement [ p7| , ^ . 



6 The lower bound on the number of rounds 

Theorem 5 Let e < 1/4. Any protocol for quantum coin flipping that achieves 
a bias e must use r2(loglog-i) rounds. 

Assume we have a protocol for quantum coin flipping with k rounds and a 
bias e. By Theorem |3, we can assume that this protocol does not make any 
measurements till the end of communication. 

The protocol starts with a fixed starting state |?/'°)- Then (if both players 
are honest), Alice applies a unitary transformation Ui, sends some qubits to 
Bob, he applies U2, sends some qubits to Alice and so on. After Uk, both Alice 
and Bob perform measurements on their parts. Since there is no measurements 
till the communication is finished, the joint state of Alice and Bob after i steps 
is a pure state IV'*)- 

At the end of protocol, Alice and Bob measure the final state to determine 
the outcome of the coin flip. If both Alice and Bob follow the protocol, the two 
measurements give the same result and this result is with probability 1/2 and 
1 with probability 1/2. 

For our analysis, we decompose each of intermediate states as |'0o) + I'0i)j 
where |-0q) is the state which leads to the outcome if the rest of protocol is 
applied and jV'i) is the state which leads to the outcome 1 if the rest of protocol 
is applied. This is done as follows. 

First, we decompose the final state \tp'^). Let |V'o) and be the (un- 
normalized) states after the final measurement if the measurement gives (1). 
Then, iV'o) -L IV'f) and IV''') = IV'o) + Also, HV-oll^ = UiW^ = \ (since a 

protocol must give with probability 1/2 and 1 with probability 1/2). 

Next, we define = [U,+iU,+2 ■ ■ ■ Uk)-^\^^) and \^Pl) = {U,+iU,+2 . . . UkT 
Then, IV'''') = IV'o) + \'>Pi) implies IV'*) = IV'o) + \^\)- 

Let p\ j (yOg j) be the density matrix of Alice's (Bob's) part of the (normal- 
ized) bipartite state \/2|'0j)- Let F\ (FJj) be the fidelity between p\ q and ^ 
ipB,o and p^B^i). 

Our proof is based on analyzing how and Fg change during the protocol. 
We show that they must be large at the beginning, at the end and, if they 
decrease too fast, this creates an opportunity for cheating. This implies the 
lower bound on the number of rounds. 

We start with the simplest part of the proof: F\ and Fg must be small at 
the end [i = k). 

Lemma 11 FX=F^= 0. 
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Proof: At the end, both AHce and Bob know the outcome of the protocol 
with certainty. That means that there is a measurement of Alice's qubits that 
perfectly distinguishes |V'o) ^ud \tpi) (i.e., this measurement gives with prob- 
ability 1 on Ii/jq) and 1 with probability By Lemma |l|, q — -^Hf = 2. 
By Lemma ||, F{p\ Pa i) must be 0. 
Similarly, = 0. □ ' 

Second, we show that, if or is too small, one of sides can cheat. 
Lemma 12 Alice can achieve one of outcomes and 1 with probability at least 

Proof: Since there is no communication before the start of the protocol, the 
starting superposition 1-0") is a tensor product \4' a) ® with Alice having 

\iPa) aud Bob having IV's)- 

Consider the best measurement Al (for Alice) that distinguishes p\ g and 
p\ (Lemma |l|). Then, j^g) = IV'oo) + l^oi), where IV'oo) is the remaining state 
if the measurement M. on |0q) gives the outcome and iV'oi) is the remaining 
state if M. gives the outcome 1. Let j^i) = l^io) + with IV'io) and \tpii) 

defined similarly. 

If Alice apphes M. to = IV'g) + 10?) i she either gets the outcome 
and the remaining state |'0g) = |'0oo) + iV'io) or 1 and the remaining state 
Wi) = IV'oi) + |0ii)- |V'°) is a product state and the measurement M is applied 
to Alice's side only. Therefore, IV'q) and 101) (the remaining states when M. 
gives and 1) are product states as well. 

Since |-0°) = |0^) + |-0i)> either ||0^||2 > i or > i. For simplicity, 

we assume that | IV'q IP ^ \ and Alice is trying to achieve the outcome 0. (The 
outcome 1 can be achieved similarly with a slightly smaller probability.) 

Let |'0^) ® \4'b) be the normalized state ||^7|i-- To bias the coin towards 0, 
Alice just runs the honest protocol with her starting state being |'0a) instead 
of |0a). 

Let ||V'oi|P + ||0io|P < £• We show that this implies that |0^) (Xi IV'b) is close 
to the normalized state v^lV'g) (which gives the outcome with probability 1). 
We have 

l^o) ^ IV'oo) + _ l^oo) + l^oi) l^io) - IV'Ol) 

ll^^ll IIV-^II ll^^ll IIV-^,!! ■ 

|0oo) + |'0oi) = |0g) leads to the outcome with certainty. Therefore, the 
probability of a different outcome (1 or Alice caught cheating) is at most 

11010 -V^OllP ^ llV^lof +II^Ol|P ^ g _g 

11^-^,11^ - -1/2 

Therefore, the described strategy for dishonest Alice gives with probability at 
least 1 — 2e. 

Next, we bound ||V'oi|P + ll^iolP- 
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Let 1 — po and po be the probabilities of outcomes and 1 when measuring 
\/2|i/'o)- Let pi and 1—pi be the probabihties of and 1 when measuring v^lf/jj). 
Then, the variational distance between these two probability distributions is 
2(1 — Po ~Pi)- Since we are using the best measurement for distinguishing g 
and j^, 2(1 — po — Pi) is equal to Wp'ao ~ p'a 1 11*- -'^y Lemma ^, this implies 

1 - /f^ = 1 - ^Jf{p%„pX,) < WpXo - pX,\U = (1 - po - Pi) 

and this is equivalent to po + Pi < \/ F*^. 

Notice that po = 2||-0oiP because pj^ q is the density matrix of Alice's side 
of ^/2\tp'^ q) and \ipoi) is the remaining state if the measurement of lipj^ q) gives 
1. Similarly, pi = 2||V'io|P- Therefore, we have HV'oilP + IIV'iolP < sV^a and 
Alice can bias the coin to with probability at least 1 — \/Fa- □ 

Hence, if the bias of a protocol is e, then, by Definition we must have 
1 - ^/fJ < i + e. This implies > i - e and > (i - ef. Since e < 1/4, 

wc must have > j^. 

Third, we show that, if after any round, one of F^^ and F^ is much larger 
than the other, this also creates a possibility for cheating. 

Lemma 13 Let i e {1, . . . , fc — 1}. Then, there is a strategy for dishonest Alice 
which achieves the result with probability at least 

Proof: For brevity, we denote F^ and Fg by Fa and Fb (omitting the index i 
which is the same throughout the proof). 

We first prove the Fa — case. This case was previously considered by 
Mayers et.al.|2^. They showed that, if Fa = and Fb > 0, then Alice can 
successfully cheat. Below, we show how to formalize their argument so that it 
shows the probability that Alice can achieve. 
Fa = case. Then, (|) is just ^ + 

By Lemma |, F{p\ f^,p\^) ^ Fa = implies \\PA,o~PAA\\t = 2- By Lemma 
|l|, there is a measurement for Alice that perfectly distinguishes p\ q and p\ . 
With probability 1/2, the outcome of the measurement is and the joint state 
of Alice and Bob after the measurement is \ipo)- With probability 1/2, the 
outcome is 1 and the joint state of Alice and Bob becomes IV'i)- In the first 
case, she just continues as in the honest protocol. This gives the answer with 
probability 1/2. 

If she gets \ipi), by Lemma |3| there is a unitary transformation U that can 
be performed by Alice such that 

\{%\U{i:l))\' - i^(PB.o,Pki)llV'oll' = ^^^''3'^''^'^ - ^- (7) 
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Alice performs U and then continues as in the honest protocol. This gives the 
answer with probability at least Fb/2. 

Together, the probability of answer is at least ^(1 + Fb). 

Fa > case. By Lemma ^ there is a measurement A4 for Alice that, applied 
to p\ g and p\ I , produces two probability distributions with the variational 
distance between them at least 2(1 — ^/Fa)- Without the loss of generality, 
we can assume that this is a measurement with two outcomes and 1 and the 
probability of is higher for p\ q and the probability of 1 is higher for p\ ^ . 

The strategy for cheating Alice is the same as in the Fa = case. She 
applies the measurement M and, then, if she gets 0, continues as in the honest 
protocol. If she gets 1, she applies the transformation U and then continues as 
in the honest protocol. 

Next, we show that this strategy achieves the result with the probability 
given by the formula (^). 

Let I'i/^g) and \^[) denote the (unnormalized) remaining states when the 
outcome of the measurement is and 1 , respectively. 

Also, let \tpab) (for a,b & {0, 1}) denote the (unnormahzed) remaining states 
when 1^*) is measured and the outcome of the measurement is b. Since jV'*) = 
l^o) + IV-l), we have \%) = \iPoo) + IV'io) and IV'i) = IV'oi) + l^ii)- 

On the other hand, |^o) = l^oo) + IV'oi) and \^\) = \ipio) + Therefore, 

\\< - V-oll = llV-io - V'oill < IIV-ioll + IIV'oill < V2(||^ioP+||V'oiP). (8) 

Similarly to the proof of Lemma HV'ioll^ + llV'oilP < \VFa- Therefore, (||) 
is at most \/Fa- We also have — V"!!! ^ \/Fa with the same proof. 

Let TYq be the set of bipartite states such that applying the rest of the 
protocol {UkUk-i ■ ■ ■ Ui+i) and the final measurement at the end of the protocol 
gives the outcome with probability 1. Then, S Hq. Also, the norm of the 
projection of U{\^\)) on Hj, is at least (by (|)). 

Consider the norms of the projections of \iPq) and \'ip[) on Hq. They differ 
from the norms of jV'o) and by at most — -0q|| < -^Fa and — "0111 ^ 
■^Fa- Therefore, the projection of j-^o) on Hq is of norm at least — \/Fa and 

the projection of U\'tp[) is of norm at least -^'^S- — -^Fa- This means that the 
probability of outcome is at least 

□ 

For the purposes of this paper, a weaker form of lemma ^ is sufficient. 

Corollary 1 Let i € {I, . . . , k—1} . Then, there is a strategy for dishonest Alice 
which achieves the result with probability at least ^ + — 2^/2^ Fa- 

Proof: We have 
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7 Conclusion 



We have constructed a protocol for quantum coin flipping with bias 0.25 and 
shown that it is optimal for a restricted class of protocols. We also gave a 
general lower bound on the number of rounds needed to achieve a bias e. A 
stronger lower bound has been later shown by Kitaev but our bound also 
applies to weak coin flipping. The table below summarizes the known results 
for both strong and weak coin flipping. 





Best protocol 


Best lower bound 


Strong 


0.25 (this paper) 


72^1 = 0.21... y 


Weak 


^-i = 0.21... |3| 


e > 0, O(loglog^) rounds required 
(this paper) 



The bounds for strong coin flipping are quite close but weak coin flipping is 
still wide open. 

Another interesting question about coin flipping protocols is "cheat-sensitivity' 
studied by [|[ |3^ . A protocol is for coin flipping or other cryptographic tasks 
is cheat-sensitive if a dishonest party cannot increase the probability of one out- 
come without being detected with some probability. Many quantum protocols 
display some cheat-sensitivity but it remains to be seen what degree of cheat- 
sensitivity can be achieved. 
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